Privacy Policy – Mobile Applications - Slovenská sporiteľňa

(under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR))

Controller
Slovenská sporiteľňa, a.s., Tomášikova 48, 832 37 Bratislava, Registration No. 00151653, incorporated in the Commercial Register of City Court Bratislava III, Section: Sa, Insert No. 601/B (hereinafter referred to as “the Bank”).
Telephone number: 0850 111 888 e-mail address: info@slsp.sk website: www.slsp.sk

Responsible Person
Correspondence address: Legal Services Division, Slovenská sporiteľňa, a.s., Tomášikova 48, 832 37 Bratislava, e-mail address: osobneudaje@slsp.sk

Mobile Applications
This document explains how the Bank processes personal data specifically in relation to the following mobile applications:

George Slovensko: https://play.google.com/store/apps/details?id=sk.slsp.georgego
SLSP mToken https://play.google.com/store/apps/details?id=com.slsp.mtoken
Business24 https://play.google.com/store/apps/datasafety?id=sk.slsp.business24

and/or in relation to any other mobile applications, desktop applications, internet banking or in general to electronic banking or financial services and products. The owner and operator of the above mentioned mobile applications is the Bank.

This document supplements the main information of the Bank on personal data processing (clients) published on the website of the Bank in section “personal data” (hereinafter referred to as “Main Information”) and further refers also to mobile applications. The reason is that through or by the virtue of mobile applications, banking products and services are still provided to the clients of the Bank.

The use of mobile applications is reserved for the clients of the Bank and/or representatives of the Bank's clients, while it requires to have a contract on providing banking products and services (e.g. contract on current account) with the Bank. Moreover, some functionalities of the mobile applications are conditioned by the conclusion of a specific contract (e.g. contract on security objects, contract on electronic services) or are covered by the specific business terms and conditions of the Bank (e.g. product business terms and conditions for deposit products). In order for the Bank to meet its obligations under the given contracts or terms and conditions, it is necessary to perform processing of data even through the mobile applications.

Purpose and Legal Basis for Personal Data Processing
Within the framework of mobile application, personal data is processed primarily for the purposes of providing banking products and services, while the basis for personal data processing for the above mentioned purpose is (depending on what processing activity is concerned):

consent of the data subject according to Article 6 (1) a) or Article 9 (2) a) of GDPR;
performance of a contract with the data subject according to Article 6 (1) b) of GDPR;
meeting a statutory obligation according to Article 6 (1) c) of GDPR;
legitimate interest according to Article 6 (1) f) of GDPR.

In mobile applications (but mainly in relation to the application “SLSP mToken” and/or “George ID”) there is also personal data processing for the purpose of (i) performing security measures to prevent frauds on the legal base of performing the statutory obligation according to Article 6 (1) c) of GDPR, and simultaneously on the legal base of legitimate interest according to Article 6 (1) f) of GDPR.

Other relevant purposes of processing, legal bases for processing of personal data, as well as legitimate interests pursued by the Bank result from the Main Information.

Legitimate Interests Pursued
In case of the following purposes, we also rely on the legal basis of the legitimate interest according to Article 6 (1) f) of GDPR. Below you will find explanation of the legitimate interests pursued by us.

Advice: The data subject has the right to object to the processing of their personal data based on legitimate or public interest, as well as to processing for the purpose of direct marketing, including objection to related profiling pursuant to Article 21 of GDPR. If the data subject granted their consent to the processing of personal data to the Bank, they have the right to revoke it, while this revocation has no impact on the legitimacy of processing based on the consent prior to its revocation.

Obligation to Provide Personal Data
The provision of personal data by the data subject as a mobile application user is voluntary since the actual use of the mobile application is voluntary. However, without the provision of certain personal data or without the conclusion of a contract with the Bank, it is not possible to use all the functionalities of the mobile applications. It is so due to the reason that the Bank is obliged to verify the identity of the user before entering the protected environment of banking mobile applications. If the client refuses to provide their personal data required based on special legal regulations, the Bank will refuse to perform the banking transaction. If the client refuses to provide their personal data to the Bank, which represent a contractual requirement, no contract may be concluded with them. If the client refuses to provide their personal data to the Bank, which is necessary for the processing and is based on a consent, no such processing may take place.

Data that the Applications Have Access to
According to the rules of Google, mobile applications also obtain some of the so-called “personal and sensitive information”. According to Google, such information include, inter alia: any personal data; financial and payment data; authentication information; or sensor data related to the camera.

If the mobile application requires access to the camera of the mobile device, it does so in order to enable making of a payment by scanning for example of the QR code, money order or bar code or in order to verify your identity, e.g. when opening an account without being present at the branch. At the same time, this way we make sure that we communicate with a living (real) person. If you enable this access for us, it does not give us the right to access the photographs saved in the device and you do not need to worry about them.

If the mobile application requires the use of Face recognition (for example FaceID) functionality on Apple or Android devices, the Bank does not have access to the actual photograph or to any biometric data. They remain processed only through your mobile device and the companies Apple Inc. or Google. By the virtue of Face recognition, the Bank practically asks your mobile device whether it is actually really you. You can completely disable the use of Face recognition in the settings of your device or enable/disable this functionality only for certain applications. You can find more information on Face recognition, as well as on the setting of the said feature here:

If the mobile application processes the GPS location of the device, it does so either in order to identify anomalies indicating fraudulent behaviour or any other malicious activities, to enable a functionality that is directly connected to the location of the device (e.g. offer of currency calculator with pre-set currency based on the location) or due to the increase of service security in general (e.g. when signing the payments). The application user may at any time enable or disable the recording of GPS location of their device.

If the mobile application uses mToken or “George ID”, the condition of the phone and the overall security of your end device are also examined. The aim is to protect the client and the Bank from fraudulent and harmful activities, as required by EU legal regulations (the RTS Regulation to the PSD2 Directive). According to these regulations, the Bank is obliged to monitor signs of malware infection at any stage of the authentication process and to identify unusual use of the device that could compromise the security of your transactions.

As part of the control of condition of the telephone, it is recorded and analysed whether other applications have inadequately strong authorisation or whether such incidents are related to them, which could indicate the presence of a fraud or malicious code (e.g. Root/Jailbreak – iOS, Android; Fingerprint – iOS, Android; SMS hijacking – Android; Overlay detection – Android; Emulator detection – Android, Human checks – Android; Debugger detection – Android).

The analysis of the properties of mobile applications installed on the end user’s device running George or Business 24 is a technical necessity for the proper fulfilment of the Bank’s legal obligations.

The data is used to compare against a predefined list of allowed or prohibited entities and applications, and serves to identify potentially dangerous changes on the side of the user of the George or Business 24 application, as well as to detect malware present on their end device already at its earliest stage.
When scanning the status of applications, we ensure maximum protection of your privacy.

Apart from that, mobile applications process the login data of the user, identification or authentication credentials, data related to the use of applications and mainly entering commands or instructions in relation to payment functionalities and all generally processed personal data in the banking environment (e.g. account balances, movements, payments, etc.).

Mobile applications save two files of cookies to your device; one with the term of use for 1 year and the second one with the term of use for 24 hours. These files are saved in the device through the SDK (software development kit) of the mobile application or JAVA script (so-called snippet) of the web application (internet banking). If the client blocks the saving of cookies on their devices, it does not automatically mean the rejection of service provision but the missing identifier means an increased level of risk, which may result in requesting additional authentication. Only the Bank has access to these files; however, in the environment of the Bank, other (verified) suppliers may work with the information obtained through these files such as the company ThreatMark s.r.o. These files serve exclusively for the purpose of performing security measures for fraud prevention.

We would like to assure you that none of the above mentioned files serve for your monitoring, sale to third parties or marketing. All the processed data is retained exclusively for the necessary time, in a secure manner and only in the necessary scope. In the final end, this information is processed by us in order to protect your from frauds and malicious codes.

Source of Personal Data
Mobile applications obtain the data from you and/or through communication with your device. This does not affect the Bank’s ability to obtain your personal data indirectly, if it is necessary to achieve the intended purpose of personal data processing (for example, when assessing your loan applications submitted via the George mobile application). More detailed information on how we obtain personal data, including the external sources from which it may be collected, is provided in the main information notice pursuant to Articles 13 and 14 of the GDPR in the Privacy Policy.

Period of Data Retention
The collection of the above-mentioned data takes place for as long as the mobile application is installed and used. However, the method and scope of data collection differ depending on their purpose and necessity:

Data conditioned by the settings of your end device: These are pieces of information that are not essential for the technical operation of the application itself (e.g., GPS location for supplementary functionalities or access to the camera). Their collection by the Bank is dependent on you voluntarily granting such access in your mobile device settings. You may change or withdraw these permissions at any time directly in your device. Such data is stored for as long as you use the mobile banking applications.
Security information relevant for the Bank’s FPS system: This includes information about the state and security of your device (e.g., analysis of risk indicators of applications or detection of malicious code). These are processed automatically as an integral and necessary part of the security of George, George ID, and mToken services, even without your consent or permission. This processing takes place on the basis of the Bank’s legal obligations in the area of strong customer authentication and fraud prevention under the PSD2 Directive and the RTS Regulation and is independent of your marketing settings. These data, used exclusively to assess device trustworthiness and protect against fraud, have a validity period of 24 hours and 1 year and may be used only while the mobile banking applications are being used.
Data necessary for documenting transactions between the Bank and the client: These are pieces of information generated during the use of the mobile applications that are necessary for the provision of banking products and services or for demonstrating the fulfilment of the Bank’s legal obligations (including security records relevant to banking operations). Such data is retained for a maximum of 12 years.

The above mentioned data is obtained only during the period when the mobile application is installed and used and only provided that the user enabled the obtaining of sensitive information through the settings of the device. Cookies related to mobile applications have the use term set for 1 year and 24 hours or they are stored only for the duration of the use of the mobile application. More detailed information on how we process “cookies” is provided in the document Use of cookies on the electronic banking websites of Slovenská sporiteľňa

Personal Data Recipients
Authorised employees of the IS Security Management Department and verified suppliers of the Bank in the field of security who are duly and legally bound to the Bank in accordance with the applicable legislative requirements, which also increases the level of legal safeguards for the protection of your privacy and personal data.(mainly the company ThreatMark s.r.o.) have access to the data processed.

Cross-border Transfer of Personal Data
In relation to mobile applications, the Bank does not perform any cross-border transfers of personal data to third countries (i.e. outside the EU, Norway, Iceland and Lichtenstein).

Rights of the Person Concerned in the Personal Data Processing
The client as a data subject has the right mainly to require from the Bank as controller the following:

access to personal data according to Article 15 of GDPR;
correcting incorrect and supplementing incomplete personal data according to Article 16 of GDPR;
deletion of personal data processed by the Bank according to Article 17 of GDPR;
restriction of processing of personal data according to Article 18 of GDPR;
transmission/portability of data provided to the Bank according to Article 20 of GDPR in a structured, machine-readable format, which are automated and are processed under contract or consent.

The person concerned has the right:

to object to the processing of personal data processed by the Bank on the legal basis of the protection of legitimate interests, including profiling and direct marketing according to Article 21 of GDPR;
request not to apply automated individual decision-making to them under the terms and conditions stipulated in Article 22 of GDPR;
to revoke consent to the processing of personal data,
file a complaint to the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, and/or an application initiating proceedings pursuant to Section 100 of the Act No. 18/2018 Coll. on personal data protection.

Automated Decision-making and Profiling

Provision of banking products (especially loans)
When preparing pre approved loans and assessing loan applications, the Bank creates your credit risk profile by processing various input data from your application, data on your use of other products within the Bank, and information from external sources (e.g., credit registers, joint banking information registers, data from the Social Insurance Agency).

As a consequence of this processing, an automated system may decide whether a loan product will be provided to you under standard conditions, with a higher level of security, in a different amount, or whether your application will be rejected.
Implementation of security measures to prevent fraud
This process is necessary to ensure strong customer authentication under the PSD2 Directive and the RTS Regulation. The system (FPS) evaluates in real time a large number of risk signals that may indicate fraudulent misuse of your account. During this analysis, the system assesses whether access to electronic services shows anomalies (e.g., presence of malware, unusual behavior on the end device, or known types of cyberattacks).

As a consequence of this processing for your rights and freedoms during regular transactions, if the system does not detect a security risk, the transaction is confirmed in the standard way with a single click.

As a consequence of this processing for your rights and freedoms during high risk transactions, if the system identifies risk signals, it may require additional verification from you (e.g., via mToken, George ID, or SMS key). In serious cases, temporary restrictions on access to electronic banking services in the George or Business 24 applications may occur, along with parallel reporting of the event to the Bank’s security personnel for further investigation.

Validity and Effect
This document is effective from January 31, 2026 and each of its version is effective by its publishing on the website of the Bank, in the app store or in the mobile application. The Bank reserves the right to unilaterally amend this information and the Bank shall inform the data subjects of substantial changes in an appropriate manner, e.g. by a notice in the mobile application. If the changes are not of substantial nature, the Bank shall publish the new version of information at the same place where the original version is.